This is the mail archive of the
gdb-patches@sources.redhat.com
mailing list for the GDB project.
[patch] read_command_lines can return freed memory
- To: gdb-patches at sourceware dot cygnus dot com
- Subject: [patch] read_command_lines can return freed memory
- From: Eirik Fuller <eirik at hackrat dot com>
- Date: Fri, 15 Jun 2001 01:00:29 -0700 (PDT)
When sourcing a script file with improperly nested control statments,
gdb can store a pointer to freed memory in a cmd_list_element struct,
which can cause subsequent crashes. One test case is to source this
script file twice:
define fp
set $frame = (long *) $arg0
while $frame[0] > $frame
printf "%08x: %08x %08x\n", $frame, $frame[0], $frame[1]
if $frame[1]
if ((uchar **)$frame)[1][-5] == 0xe8
x/i $frame[1] - 5
else
if ((uchar **)$frame)[1][-2] == 0xff
x/i $frame[1] - 2
else
x/i $frame[1]
# end
end
else
x/i $frame[2]
end
set $frame = (long *) $frame[0]
end
end
Removing the # results in a script file which can be sourced with no
errors. The patch included here prevents the crash. Here's a
ChangeLog entry:
2001-06-15 Eirik Fuller <eirik@hackrat.com>
* cli/cli-script.c (read_command_lines): Don't return freed
memory.
Here's the patch:
--- gdb+dejagnu-20010615/gdb/cli/cli-script.c- Tue Mar 13 14:29:14 2001
+++ gdb+dejagnu-20010615/gdb/cli/cli-script.c Thu Jun 14 22:53:17 2001
@@ -995,7 +995,10 @@
discard_cleanups (old_chain);
}
else
- do_cleanups (old_chain);
+ {
+ do_cleanups (old_chain);
+ head = NULL;
+ }
}
if (readline_end_hook)